Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Custom Logs Monitoring

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-Compute-005

Ensure that Custom Logs Monitoring feature is enabled for your Oracle Cloud Infrastructure (OCI) compute instances. The feature uses the Unified Monitoring Agent (also known as "Custom Logs Monitoring" plugin) to collect custom application logs from the compute instance and ingest them into the centralized OCI Logging service for streamlined searching, analysis, and management.

Security

Enable the Custom Logs Monitoring feature to centralize application logs for visibility and unified analysis, streamline troubleshooting and diagnostics for custom applications, and leverage OCI Logging service features like searching, alarming, and archiving.

Custom logs monitoring can't be enabled unless the Oracle Cloud Agent is installed on the compute instance. Oracle Cloud Agent is a lightweight process that manages plugins running on your instance. If your compute instance uses a current platform image or a custom image based on one, the Oracle Cloud Agent is installed by default. Otherwise, refer to this guide to install the Oracle Cloud Agent software.

Audit

To determine if custom logs monitoring is enabled for your OCI compute instances, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Management tab to access the list of plugins supported by the selected instance, managed by the Oracle Cloud Agent.

07 In the Oracle Cloud Agent section, click inside the Search and Filter box, select Plugin name, type Custom Logs Monitoring, and choose Apply filter to return the Custom Logs Monitoring plugin.

08 Check the Custom Logs Monitoring plugin status, listed in the Enable plugin column. If the plugin status is set to Disabled, the Custom Logs Monitoring feature is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

04 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run compute instance get command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to examine as the identifier parameter and custom output filters to describe the operational state of each plugin installed on the selected instance, managed by the Oracle Cloud Agent: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."agent-config"."plugins-config"'

06 The command output should return the list of plugins installed on the compute instance and their current status: 

[
	{
		"desired-state": "DISABLED",
		"name": "WebLogic Management Service"
	},
	{
		"desired-state": "DISABLED",
		"name": "Vulnerability Scanning"
	},
	{
		"desired-state": "DISABLED",
		"name": "Oracle Java Management Service"
	},
	{
		"desired-state": "DISABLED",
		"name": "OS Management Hub Agent"
	},
	{
		"desired-state": "DISABLED",
		"name": "Management Agent"
	},
	{
		"desired-state": "DISABLED",
		"name": "Custom Logs Monitoring"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute RDMA GPU Monitoring"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute Instance Run Command"
	},
	{
		"desired-state": "ENABLED",
		"name": "Compute Instance Monitoring"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute HPC RDMA Auto-Configuration"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute HPC RDMA Authentication"
	},
	{
		"desired-state": "DISABLED",
		"name": "Cloud Guard Workload Protection"
	},
	{
		"desired-state": "DISABLED",
		"name": "Block Volume Management"
	},
	{
		"desired-state": "DISABLED",
		"name": "Bastion"
	}
]

Check the "desired-state" property value set for the "Custom Logs Monitoring" plugin to determine the operational state of the plugin. If the "desired-state" value is set to "DISABLED", as shown in the output example above, the Custom Logs Monitoring feature is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

Remediation / Resolution

To ensure that Cloud Guard Workload Protection is enabled for your Oracle Cloud Infrastructure (OCI) compute instances, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to configure, listed in the Name column.

06 Select the Management tab to access the list of supported instance plugins, managed by the Oracle Cloud Agent.

07 In the Oracle Cloud Agent section, click inside the Search and Filter box, select Plugin name, type Custom Logs Monitoring, and choose Apply filter to return the Custom Logs Monitoring plugin.

08 Click on the Actions button (i.e., 3-dot icon) next to the Custom Logs Monitoring plugin and choose Enable to enable custom logs monitoring for the selected OCI compute instance. It takes up to 10 minutes for the configuration change to take effect.

Using OCI CLI

01 Set the "desired-state" to "ENABLED" for the "Custom Logs Monitoring" plugin to enable the feature and save the "plugins-config" object to a file name cc-instance-plugins-config.json. Because the --agent-config parameter for compute instance update command replaces any existing values, ensure that "plugins-config" contains all the plugins managed by the Oracle Cloud Agent, as returned by the compute instance get command in the Audit process: 

{
	"plugins-config":
	[
		{
			"desired-state": "DISABLED",
			"name": "WebLogic Management Service"
		},
		{
			"desired-state": "DISABLED",
			"name": "Vulnerability Scanning"
		},
		{
			"desired-state": "DISABLED",
			"name": "Oracle Java Management Service"
		},
		{
			"desired-state": "DISABLED",
			"name": "OS Management Hub Agent"
		},
		{
			"desired-state": "DISABLED",
			"name": "Management Agent"
		},
		{
			"desired-state": "ENABLED",
			"name": "Custom Logs Monitoring"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute RDMA GPU Monitoring"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute Instance Run Command"
		},
		{
			"desired-state": "ENABLED",
			"name": "Compute Instance Monitoring"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute HPC RDMA Auto-Configuration"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute HPC RDMA Authentication"
		},
		{
			"desired-state": "ENABLED",
			"name": "Cloud Guard Workload Protection"
		},
		{
			"desired-state": "DISABLED",
			"name": "Block Volume Management"
		},
		{
			"desired-state": "DISABLED",
			"name": "Bastion"
		}
	]
}

02 Run compute instance update command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to configure as the identifier parameter, to enable the Custom Logs Monitoring feature for the selected compute instance. For --agent-config, use the plugins configuration file edited in the previous step (i.e., cc-instance-plugins-config.json): 

oci compute instance update
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--agent-config file://cc-instance-plugins-config.json

03 Type Y and press Enter for confirmation: 

WARNING: Updates to defined-tags and security-attributes and freeform-tags and agent-config and metadata and extended-metadata and shape-config and source-details and instance-options and launch-options and availability-config and platform-config and licensing-configs will replace any existing values. Are you sure you want to continue? [y/N]: Y

04 The command output should return the configuration infromation available for the modified compute instance (including the plugins config): 

{
	"data": {
		"availability-config": {
			"is-live-migration-preferred": null,
			"recovery-action": "RESTORE_INSTANCE"
		},
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"capacity-reservation-id": null,
		"cluster-placement-group-id": null,
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"dedicated-vm-host-id": null,
		"defined-tags": {},
		"display-name": "cc-project5-compute-instance",
		"extended-metadata": {},
		"fault-domain": "FAULT-DOMAIN-3",
		"freeform-tags": {},
		"id": "ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"instance-configuration-id": null,
		"instance-options": {
			"are-legacy-imds-endpoints-disabled": true
		},
		"agent-config": {
			"are-all-plugins-disabled": false,
			"is-management-disabled": false,
			"is-monitoring-disabled": false,
			"plugins-config": [
				{
					"desired-state": "DISABLED",
					"name": "WebLogic Management Service"
				},
				{
					"desired-state": "DISABLED",
					"name": "Vulnerability Scanning"
				},
				{
					"desired-state": "DISABLED",
					"name": "Oracle Java Management Service"
				},
				{
					"desired-state": "DISABLED",
					"name": "OS Management Hub Agent"
				},
				{
					"desired-state": "DISABLED",
					"name": "Management Agent"
				},
				{
					"desired-state": "ENABLED",
					"name": "Custom Logs Monitoring"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute RDMA GPU Monitoring"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute Instance Run Command"
				},
				{
					"desired-state": "ENABLED",
					"name": "Compute Instance Monitoring"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute HPC RDMA Auto-Configuration"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute HPC RDMA Authentication"
				},
				{
					"desired-state": "ENABLED",
					"name": "Cloud Guard Workload Protection"
				},
				{
					"desired-state": "DISABLED",
					"name": "Block Volume Management"
				},
				{
					"desired-state": "DISABLED",
					"name": "Bastion"
				}
			]
		},
		"ipxe-script": null,
		"is-ai-enterprise-enabled": null,
		"is-cross-numa-node": false,
		"launch-mode": "PARAVIRTUALIZED",
		"launch-options": {
			"boot-volume-type": "PARAVIRTUALIZED",
			"firmware": "UEFI_64",
			"is-consistent-volume-naming-enabled": true,
			"is-pv-encryption-in-transit-enabled": true,
			"network-type": "PARAVIRTUALIZED",
			"remote-data-volume-type": "PARAVIRTUALIZED"
		},
		"licensing-configs": null,
		"lifecycle-state": "RUNNING",
		"metadata": {},
		"placement-constraint-details": null,
		"platform-config": {
			"is-measured-boot-enabled": false,
			"is-memory-encryption-enabled": false,
			"is-secure-boot-enabled": true,
			"is-symmetric-multi-threading-enabled": true,
			"is-trusted-platform-module-enabled": false,
			"type": "AMD_VM"
		},
		"preemptible-instance-config": null,
		"region": "ap-sydney-1",
		"security-attributes": {},
		"security-attributes-state": "STABLE",
		"shape": "VM.Standard.E4.Flex",
		"shape-config": {
			"baseline-ocpu-utilization": null,
			"gpu-description": null,
			"gpus": 0,
			"local-disk-description": null,
			"local-disks": 0,
			"local-disks-total-size-in-gbs": null,
			"max-vnic-attachments": 2,
			"memory-in-gbs": 1.0,
			"networking-bandwidth-in-gbps": 1.0,
			"ocpus": 1.0,
			"processor-description": "2.55 GHz AMD EPYC™ 7J13 (Milan)",
			"vcpus": 2
		},
		"source-details": {
			"boot-volume-size-in-gbs": null,
			"boot-volume-vpus-per-gb": null,
			"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
			"instance-source-image-filter-details": null,
			"kms-key-id": null,
			"source-type": "image"
		},
		"system-tags": {},
		"time-maintenance-reboot-due": null
	},
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

References

Publication date Nov 11, 2025

Related OCI-Compute rules